German Lawyers Call For Their Profession's Bug-Ridden, Soon-To-Be Mandatory, Email System To Be Open Sourced
from the public-trust,-public-code dept
Given the sensitive nature of their work, lawyers need to take particular care when communicating online. One way to address this — quite reasonable, in theory — is to create a dedicated system with strong security built in. That’s the route being taken by Germany’s Federal Bar Association (Bundesrechtsanwaltskammer — BRAK) with its “besondere elektronisches Anwaltspostfach” (special electronic mailbox for lawyers, or beA). However, the reality has not matched the theory, and beA has been plagued with serious security problems. As a post on the Free Software Foundation Europe (FSFE) site explains (original in German)
Numerous scandals and a questionable understanding of security characterize the project, which has been in development for several years. Lawyers should have been reachable through this software since January 1, 2018, but numerous known vulnerabilities have prevented the planned start of the service.
…
Although a security audit was commissioned and carried out in 2015, its scope and results have not been published to date; the full extent of the faulty programming became known only at the end of 2017. Thus the project, which has cost lawyers so far about 38 million euros, has already lost people’s trust. In view of the numerous errors, the confidentiality of the sent messages can no longer be guaranteed — and this is for software whose use from 2022 onwards becomes mandatory for all court documentation traffic.
Because of the continuing lack of transparency about the evident problems with the project, a number of German lawyers are supporting a petition that asks for an alternative approach, reported here by the Open Source Observatory:
The petition calls on Germany’s Bundesrechtsanwaltskammer (Federal Bar Association, or BRAK) to publish the beA software under a free and open source software licence and open the software development process. “Only in this way can it slowly restore the trust of the users — all lawyers, authorities and courts,” the petition says.
As the petition notes (original in German):
Disclosure of the program code allows independent IT professionals to report potential security vulnerabilities early on so that they can be fixed; it has been shown once more that keeping the source code secret, and carrying out the audits as agreed in the contract [for creating the beA system] does not lead to the desired result. Free software also guarantees much-needed manufacturer independence.
Over and above the increased transparency that open-sourcing the beA code would bring, and the hope that this would allow security issues to be caught earlier, there is another good reason why the German system for lawyers should be released as free software. Since it will perform a key service for the public, it is only right for representatives of the German public to be able to confirm its trustworthiness. This is part of a larger campaign by the FSFE called “Public Money, Public Code“, which Techdirt wrote about last year. Unfortunately, what ought to be a pretty uncontroversial idea still has a long way to go, as the painful beA saga demonstrates.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: germany, lawyers, open source
Comments on “German Lawyers Call For Their Profession's Bug-Ridden, Soon-To-Be Mandatory, Email System To Be Open Sourced”
New Bread Box Need, New Engineers Requested
I am trying to discern the reason the German Government did not chose an existing secure email program and then just dictate the various addresses to be used? Was there a particular need to build a system from the ground up? Right, some contractor needed the income.
If a particular system is already secure, and there would be a benefit to it being opened sourced (with the exception of the encryption algorithm) so that security could be further verified, then why would someone actually want to build a new one? That is if there was no profit motivation? Government should never have a profit motivation. Cost savings, maybe, but that would mean that something is cut, not added.
What is actually needed in such a system? A secure sending unit, a secure receiving unit, and a secure server to store the communication and a secure system for distributing the already secure communication to only those that have the appropriate security clearance to receive them. Hasn’t this been built numerous times already?
Is the issue that those already built systems weren’t properly translated into German? Wouldn’t it be cheaper to do a better job of translation than start from scratch, and maybe build something not as secure? I don’t know the names of the existing systems (as I have no need for them…today, but I know they exist, various governments around the world are complaining about them).
Sheesh
Re: New Bread Box Need, New Engineers Requested
Not making any comment on this particular endeavor, but general — well, email is a hot mess and that’s no big secret. Over the past couple decades, more and more people beginning to think we just need to start over with a greenfield system.
Re: Re: New Bread Box Need, New Engineers Requested
Re: Re: New Bread Box Need, New Engineers Requested
Yes, it would be lovely to start over and apply all the lessons we’ve learned. However, precisely zero of the people proposing that course of action have been able to put forth a workable plan for migrating the entire Internet.
Email has its problems, to be sure. I’ve spent decades documenting and working on them, so I think it’s fair to say I have an extensive awareness of them. But for all that, it’s still the “killer app”, and the communications method of choice for clueful people.
Re: Re: Re: New Bread Box Need, New Engineers Requested
This isn’t about "migrating the entire Internet." It’s about secure communication specifically for lawyers.
Re: Re: Re: New Bread Box Need, New Engineers Requested
coughGPGcoughEnigmailcough
Why do people still not know this? Admittedly it doesn’t obfuscate receiver/sender from email service servers (ie. Gmail/Google, etc.), but it’s better than nothing. If your security is worth that much, maybe set up tiny, cheap RasPi email servers for your clients. Then nobody but the ISPs can snoop on who you’re talking to, at least.
It sounds like the proposed system is less an email system and more a records-management system where things like whether the recipient is authorized to receive a particular document or type of document (so that eg. documents that should be visible to only one party don’t accidentally get sent to opposing counsel) come into play and “email message” is only one of many document types. I can only imagine the mess if they tried to start with an email system and impose those kinds of additional requirements on it.
Ummm
Not said..
Emails? from inside the business from and TO other lawyers and judges??
WHATS THE F’ING PROBLEM??
A single server setup to Connect all the lawyers and judges…Should NOT be a problem,, 1 day to 1 week..
Hi Guys, friend of a lawyer in Germany here, this has been a clusterfuck of epic proportions.
Why does each professional association have to invent a new and different “secure” communicatuion system?
Why did humanity not invent the wheel several times?
Did anybody hear about PGP and Enigmail?
nuff said!
Re: Re:
Thats agreed,
But then you get the Gov/Corps wanting to input backdoors, and moderating All mail..
Which makes the program SO unwieldy, and Complicated…
Some group is always trying to get into the backdoor..
Security isnt/woundnt be a problem, if it was a basic/simple setup.
I bet they want Everyone to use the same Coding on the mail, so that it can be opened by anyone..WHICH isnt private.
Re: Re:
Did you hear about the NSA? They like to collect metadata, and PGP does nothing to protect it.
Re: Re: Re:
Depends on if keeping who you’re talking to secret or what you’re talking to them about secret matters more.
Re: Did anybody hear about PGP and Enigmail?
Sure, in theory it’s a solved problem.
In practice, on the other hand…
They're not building a communications tool
They’re building a target. It will be fully compromised before it goes live.
Re: They're not building a communications tool
A wet dream for the executive. Goal: state trojan world dominance.
Why didn't the German Bar Association.....
Hire V. A. Shiva Ayyadurai ??
/s
Lack of security: Feature, not a bug
Lack of security is a feature, not a bug.
Government prosecutors will somehow be able to anticipate the actions of defence lawyers.
Why else proceed after it is shown that this system does not provide the one thing it is supposed to provide: secure email.